PCI DSS Compliance Checklist

FAQs to help verify your PCI DSS compliance

Without a high level of IT security skills and knowledge, achieving and maintaining PCI DSS compliance can be an arduous process. Here are some frequently asked questions to help make your organisation’s journey that bit smoother.

Sensitive authentication data includes full track data (magnetic stripe data or equivalent on a chip) and CAV, CVC, CVV and CID numbers, PINS and PIN blocks.

Can cardholder data be stored?

Under PCI DSS, merchants and service providers are permitted to store cardholder data. Subject to specific usage and protection requirements, some acquirers may permit sensitive authentication data to be stored but prior to payment authorisation only.

What is in scope of a PCI DSS assessment?

The PCI DSS security requirements apply to all system components included in or connected to an organisation’s cardholder data environment (CDE). The CDE encompasses all people, processes and technologies that store, process, or transmit cardholder and sensitive authentication data.

PCI DSS can apply across the whole of an organisation, or to a subset of it if the CDE has been correctly compartmentalised. System components in scope include network devices, servers, computing devices, and applications.

A merchant is defined as any entity that accepts payment cards from any of the five founding members of the PCI Security Standards Council (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.

A service provider, on the other hand, is a business entity that is not a payment brand and is directly involved in the processing, storage, or transmission of cardholder data. If an organisation provides a service that involves only the provision of public network access, such as a telecommunications company providing a communication link, then the organisation is not considered a service provider.

Note: Where a merchant stores, processes or transmits cardholder data on behalf of other merchants or services providers, it can also be a service provider.

We use cookies for security, to optimise your browsing experience and anonymously analyse site traffic.Accepting necessary cookies is required to provide you with a minimum level of service. Learn more